I have a static website which needs to be pentested. It has only got one form which updates some data on the server and i have pentested it with some blind PHP and SQL injection.
The site is hosted on a shared server and it has cpanel.

How should I go about pentesting my website? Is bruteforcing the cpanel is only option?
My website has already been defaced by some hacker. Please tell me whether my approach is correct towards pentesting that website..

Penetration testing is hard and your system is backdoored. Reinstall the latest versions of every web application you are running, scorched earth don't reuse anything. If you are still having problems, then higher a professional.
–
RookOct 28 '12 at 17:35

3 Answers
3

I agree to the comment above, once the server has been compromised, you should start by considering all data, files, and processes in the server as tainted. And as mentioned above, restart over.

If you can identify exactly what has been compromised (from what hasn't), then you could probably take a partial restore. But if this is not the case, stick to the recommendation above.

In terms of data (text), hopefully you have a backup that hasn't been tampered from the attack. But be very wary of trusting data (text) as I have seen webpages that include bot commands, disguised as html tags.

To analyze a website, think first about the different components it uses. As you listed: PHP, CPanel, database (as you mentioned SQL injection). Then add the other components, such as web server (are you running Apache web, Tomcat or something else?), the authentication process you are using (is it HTTP digest authentication, or may be using LDAP). What is the password policy for your website? Once you have a list of the different components, check their configuration and/or patching status (everything updated?).

To take a more complete approach to review the security of your website, I also agree to previous comment on using the OWASP website. They have very good docs and tools to help you. I would start with the OWASP Top 10 Web Application Security Risks to give you an overall idea of the problems commonly found in web sites. Then would use the OWASP Testing Guide mentioned above, which is more detailed and lists tools and examples of attacks.

Also consider using OpenVAS Vulnerability Scanner (openvas.org) and NMAP Security Scanner (nmap.org). These tools are very powerful and easy to set up. NMAP will give you a list of open ports in your web server (so you can ask if those ports should be open and which processes are running on the ports), while OpenVAS tests for vulnerabilities on those ports (you can also run OpenVAS locally to look for non-port related issues).

Finally, look first for the 'low-hanging fruit' problems. Start asking if there is a weak password or a mis-configured service that may be the attacker used to deface your server. Attackers usually look for this things first... and unfortunately works a lot of times.

Once your website has been hacked, you can not continue safely using it. You must kill it with fire and restart over. Wipe the whole thing, then re-install the application from a known-good source (or possibly restore from a known-good backup before you were hacked: but be sure that this predates the hack).

Once your website is hacked, there is no basis for trust. The hacker could have left any number of backdoors (hackers usually do), and there is no way to detect them. Pentesting is not going to find backdoors left by a hacker. Pentesting is not the answer: you need to wipe and re-install.

Immediately after re-installing, make sure to update the software and lock it down so you don't get hacked again.